SECOND REGULAR SESSION
SENATE BILL NO. 1171
91ST GENERAL ASSEMBLY
INTRODUCED BY SENATOR HOUSE.
Read 1st time February 18, 2002, and 1,000 copies ordered printed.
TERRY L. SPIELER, Secretary.
4791S.01I
AN ACT
To amend chapter 191, RSMo, by adding thereto one new section relating to nonpublic personal health information.
Section A. Chapter 191, RSMo, is amended by adding thereto one new section, to be known as section 191.890, to read as follows:
191.890. 1. For purposes of this section, the following terms mean:
(1) "Disclose", to release, transfer, provide access to, or divulge in any other manner information outside the entity holding the information; except that disclosure shall not include any information divulged directly to the individual to whom such information pertains;
(2) "Federal privacy rules", the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services, 45 CFR Parts 160 to 164;
(3) "Health information", any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or an individual that relates to;
(a) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(b) The provision of health care to an individual; or
(c) Payment for the provision of health care to an individual;
(4) "Licensee", all licensed insurers, producers, and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to chapter 375, RSMo, a health maintenance organization holding or required to hold a certificate of authority pursuant to chapter 354, RSMo, or any other entity or person subject to the supervision and regulation of the department of insurance;
(5) "Nonpublic personal health information", health information:
(a) That identifies an individual who is the subject of the information; or
(b) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual;
(6) "Person", without limitation, an individual, a foreign or domestic corporation whether for profit or not-for-profit, a partnership, a limited liability company, an unincorporated society or association, two or more persons having a joint or common interest, a governmental agency or any other entity.
2. Any person who in the ordinary course of business, practice of a profession, or rendering of a service creates, stores, receives, or furnishes nonpublic personal health information shall not disclose by any means of communication such nonpublic personal health information except pursuant to a prior written authorization of the person to whom such information pertains or such person's authorized representative, if:
(1) The nonpublic personal health information is disclosed in exchange for consideration to an affiliate or other third party; or
(2) The purpose of the disclosure is:
(a) For the marketing of services or goods for personal, family, or household purposes;
(b) To facilitate an employer's employment-related decision regarding hiring, termination, and the establishment of any other conditions of employment, except as necessary to provide health or other benefits to an existing employee;
(c) For use in connection with the evaluation of an existing or requested extension of credit for personal, family, or household purposes; or
(d) To deliberately or maliciously cause harm to the person to whom the nonpublic personal health information pertains or to a person who creates, stores, or receives the nonpublic personal health information, except as necessary to conduct the business, practice, or service offered by the disclosing person or entity.
3. Nothing in this section shall be deemed to prohibit any disclosure of nonpublic personal health information as is necessary to comply with any other state or federal law.
4. Any person other than a licensee who knowingly violates the provisions of this section shall be assessed an administrative penalty of not more than five hundred dollars for each violation of this section and may be liable in a civil action for damages and equitable relief. An administrative penalty under this section may be assessed by a state agency responsible for regulating the person or by the attorney general.
5. To the extent a person other than a licensee is subject to and complies with all requirements of the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services, 45 CFR Parts 160 to 164 (the federal privacy rules), such person shall be deemed to be in compliance with this section. Until April 14, 2003, a person other than a licensee that is subject to the federal privacy rules shall be deemed to be in compliance with this section upon demonstration of a good faith effort to comply with the requirements of the federal privacy rules.
6. Irrespective of whether a licensee is subject to the federal privacy rules, if a licensee complies with all requirements of the federal privacy rules except for the effective date provision, the licensee shall be deemed to be in compliance with this section. Until April 14, 2003, a licensee shall be deemed to be in compliance with this section upon demonstration of a good faith effort to comply with the requirements of the federal privacy rules.
7. If a licensee complies with the model regulation adopted on September 26, 2000, by the National Association of Insurance Commissioners entitled "Privacy of Consumer Financial and Health Information Regulation", the licensee shall be deemed to be in compliance with this section.
8. Notwithstanding the provisions of subsections 5 and 6 of this section, no person or licensee may disclose nonpublic personal health information for marketing purposes contrary to paragraph (a) of subdivision (2) of subsection 2 of this section.
9. The provisions of this section do not apply to information from or to consumer reporting agencies as defined by the federal Fair Credit Reporting Act, 15 U.S.C. Section 1681 et seq., or debt collectors as defined by the federal Fair Debt Collection Practices Act, 15 U.S.C. Section 1692 et seq. to the extent such entities are engaged in activities regulated by these federal acts.
10. The provisions of this section do not apply to information disclosed in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, including but not limited to the sale of a portfolio of loans, if the disclosure of nonpublic personal health information concerns solely consumers of the business or unit and the disclosure of the nonpublic personal health information is not the primary reason for the sale, merger, transfer, or exchange.
11. The director of the department of insurance shall have the sole authority to enforce this section with respect to licensees including, without limitation, treating violations of this section by licensees as an unfair trade practice pursuant to sections 375.936 to 375.948, RSMo. Licensees shall be entitled to all the protections of law contained therein.